Medium severityOSV Advisory· Published Aug 15, 2025· Updated Apr 15, 2026
CVE-2025-55207
CVE-2025-55207
Description
Astro is a web framework for content-driven websites. Following CVE-2025-54793 there's still an Open Redirect vulnerability in a subset of Astro deployment scenarios prior to version 9.4.1. Astro 5.12.8 addressed CVE-2025-54793 where https://example.com//astro.build/press would redirect to the external origin //astro.build/press. However, with the Node deployment adapter in standalone mode and trailingSlash set to "always" in the Astro configuration, https://example.com//astro.build/press still redirects to //astro.build/press. This affects any user who clicks on a specially crafted link pointing to the affected domain. Since the domain appears legitimate, victims may be tricked into trusting the redirected page, leading to possible credential theft, malware distribution, or other phishing-related attacks. This issue has been patched in version 9.4.1.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
@astrojs/nodenpm | < 9.4.1 | 9.4.1 |
Affected products
1Patches
234 files changed · +185 −182
.changeset/kind-kids-listen.md+0 −71 removed@@ -1,71 +0,0 @@ ---- -'astro': minor ---- - -Adds an experimental flag `staticImportMetaEnv` to disable the replacement of `import.meta.env` values with `process.env` calls and their coercion of environment variable values. This supersedes the `rawEnvValues` experimental flag, which is now removed. - -Astro allows you to configure a [type-safe schema for your environment variables](https://docs.astro.build/en/guides/environment-variables/#type-safe-environment-variables), and converts variables imported via `astro:env` into the expected type. This is the recommended way to use environment variables in Astro, as it allows you to easily see and manage whether your variables are public or secret, available on the client or only on the server at build time, and the data type of your values. - -However, you can still access environment variables through `process.env` and `import.meta.env` directly when needed. This was the only way to use environment variables in Astro before `astro:env` was added in Astro 5.0, and Astro's default handling of `import.meta.env` includes some logic that was only needed for earlier versions of Astro. - -The `experimental.staticImportMetaEnv` flag updates the behavior of `import.meta.env` to align with [Vite's handling of environment variables](https://vite.dev/guide/env-and-mode.html#env-variables) and for better ease of use with Astro's current implementations and features. **This will become the default behavior in Astro 6.0**, and this early preview is introduced as an experimental feature. - -Currently, non-public `import.meta.env` environment variables are replaced by a reference to `process.env`. Additionally, Astro may also convert the value type of your environment variables used through `import.meta.env`, which can prevent access to some values such as the strings `"true"` (which is converted to a boolean value), and `"1"` (which is converted to a number). - -The `experimental.staticImportMetaEnv` flag simplifies Astro's default behavior, making it easier to understand and use. Astro will no longer replace any `import.meta.env` environment variables with a `process.env` call, nor will it coerce values. - -To enable this feature, add the experimental flag in your Astro config and remove `rawEnvValues` if it was enabled: - -```diff -// astro.config.mjs -import { defineConfig } from "astro/config"; - -export default defineConfig({ -+ experimental: { -+ staticImportMetaEnv: true -- rawEnvValues: false -+ } -}); -``` - -#### Updating your project - -If you were relying on Astro's default coercion, you may need to update your project code to apply it manually: - -```diff -// src/components/MyComponent.astro -- const enabled: boolean = import.meta.env.ENABLED; -+ const enabled: boolean = import.meta.env.ENABLED === "true"; -``` - -If you were relying on the transformation into `process.env` calls, you may need to update your project code to apply it manually: - -```diff -// src/components/MyComponent.astro -- const enabled: boolean = import.meta.env.DB_PASSWORD; -+ const enabled: boolean = process.env.DB_PASSWORD; -``` - -You may also need to update types: - -```diff -// src/env.d.ts -interface ImportMetaEnv { - readonly PUBLIC_POKEAPI: string; -- readonly DB_PASSWORD: string; -- readonly ENABLED: boolean; -+ readonly ENABLED: string; -} - -interface ImportMeta { - readonly env: ImportMetaEnv; -} - -+ namespace NodeJS { -+ interface ProcessEnv { -+ DB_PASSWORD: string; -+ } -+ } -``` - -See the [experimental static `import.meta.env` documentation](https://docs.astro.build/en/reference/experimental-flags/static-import-meta-env/) for more information about this feature. You can learn more about using environment variables in Astro, including `astro:env`, in the [environment variables documentation](https://docs.astro.build/en/guides/environment-variables/).
.changeset/lemon-wombats-bathe.md+0 −5 removed@@ -1,5 +0,0 @@ ---- -'@astrojs/node': patch ---- - -Fixes a routing bug in standalone mode with `trailingSlash` set to `"always"`.
.changeset/plain-dragons-bow.md+0 −24 removed@@ -1,24 +0,0 @@ ---- -'astro': minor ---- - -Adds experimental support for automatic [Chrome DevTools workspace folders](https://developer.chrome.com/docs/devtools/workspaces) - -This feature allows you to edit files directly in the browser and have those changes reflected in your local file system via a connected workspace folder. This allows you to apply edits such as CSS tweaks without leaving your browser tab! - -With this feature enabled, the Astro dev server will automatically configure a Chrome DevTools workspace for your project. Your project will then appear as a workspace source, ready to connect. Then, changes that you make in the "Sources" panel are automatically saved to your project source code. - -To enable this feature, add the experimental flag `chromeDevtoolsWorkspace` to your Astro config: - -```js -// astro.config.mjs -import { defineConfig } from 'astro/config'; - -export default defineConfig({ - experimental: { - chromeDevtoolsWorkspace: true, - }, -}); -``` - -See the [experimental Chrome DevTools workspace feature documentation](https://docs.astro.build/en/reference/experimental-flags/chrome-devtools-workspace/) for more information.
.changeset/red-candles-invite.md+0 −27 removed@@ -1,27 +0,0 @@ ---- -'@astrojs/sitemap': minor ---- - -Adds a `customSitemaps` option to include extra sitemaps in the `sitemap-index.xml` file generated by Astro. - -This is useful for multi-framework setups on the same domain as your Astro site (`example.com`), such as a blog at `example.com/blog` whose sitemap is generated by another framework. - -The following example shows configuring your Astro site to include sitemaps for an externally-generated blog and help center along with the generated sitemap entries in `sitemap-index.xml`: - -Example: - -```js -import { defineConfig } from 'astro/config'; -import sitemap from '@astrojs/sitemap'; - -export default defineConfig({ - site: 'https://example.com', - integrations: [ - sitemap({ - customSitemaps: ['https://example.com/blog/sitemap.xml', 'https://example.com/helpcenter/sitemap.xml'], - }), - ], -}); -``` - -Learn more in the [`@astrojs/sitemap` configuration documentation](https://docs.astro.build/en/guides/integrations-guide/sitemap/#configuration).
examples/basics/package.json+1 −1 modified@@ -10,6 +10,6 @@ "astro": "astro" }, "dependencies": { - "astro": "^5.12.9" + "astro": "^5.13.0" } }
examples/blog/package.json+2 −2 modified@@ -12,8 +12,8 @@ "dependencies": { "@astrojs/mdx": "^4.3.3", "@astrojs/rss": "^4.0.12", - "@astrojs/sitemap": "^3.4.2", - "astro": "^5.12.9", + "@astrojs/sitemap": "^3.5.0", + "astro": "^5.13.0", "sharp": "^0.34.2" } }
examples/component/package.json+1 −1 modified@@ -15,7 +15,7 @@ ], "scripts": {}, "devDependencies": { - "astro": "^5.12.9" + "astro": "^5.13.0" }, "peerDependencies": { "astro": "^4.0.0 || ^5.0.0"
examples/container-with-vitest/package.json+1 −1 modified@@ -12,7 +12,7 @@ }, "dependencies": { "@astrojs/react": "^4.3.0", - "astro": "^5.12.9", + "astro": "^5.13.0", "react": "^18.3.1", "react-dom": "^18.3.1", "vitest": "^3.1.1"
examples/framework-alpine/package.json+1 −1 modified@@ -13,6 +13,6 @@ "@astrojs/alpinejs": "^0.4.8", "@types/alpinejs": "^3.13.11", "alpinejs": "^3.14.9", - "astro": "^5.12.9" + "astro": "^5.13.0" } }
examples/framework-multiple/package.json+1 −1 modified@@ -17,7 +17,7 @@ "@astrojs/vue": "^5.1.0", "@types/react": "^18.3.20", "@types/react-dom": "^18.3.6", - "astro": "^5.12.9", + "astro": "^5.13.0", "preact": "^10.26.5", "react": "^18.3.1", "react-dom": "^18.3.1",
examples/framework-preact/package.json+1 −1 modified@@ -12,7 +12,7 @@ "dependencies": { "@astrojs/preact": "^4.1.0", "@preact/signals": "^2.0.3", - "astro": "^5.12.9", + "astro": "^5.13.0", "preact": "^10.26.5" } }
examples/framework-react/package.json+1 −1 modified@@ -13,7 +13,7 @@ "@astrojs/react": "^4.3.0", "@types/react": "^18.3.20", "@types/react-dom": "^18.3.6", - "astro": "^5.12.9", + "astro": "^5.13.0", "react": "^18.3.1", "react-dom": "^18.3.1" }
examples/framework-solid/package.json+1 −1 modified@@ -11,7 +11,7 @@ }, "dependencies": { "@astrojs/solid-js": "^5.1.0", - "astro": "^5.12.9", + "astro": "^5.13.0", "solid-js": "^1.9.5" } }
examples/framework-svelte/package.json+1 −1 modified@@ -11,7 +11,7 @@ }, "dependencies": { "@astrojs/svelte": "^7.1.0", - "astro": "^5.12.9", + "astro": "^5.13.0", "svelte": "^5.25.7" } }
examples/framework-vue/package.json+1 −1 modified@@ -11,7 +11,7 @@ }, "dependencies": { "@astrojs/vue": "^5.1.0", - "astro": "^5.12.9", + "astro": "^5.13.0", "vue": "^3.5.13" } }
examples/hackernews/package.json+2 −2 modified@@ -10,7 +10,7 @@ "astro": "astro" }, "dependencies": { - "@astrojs/node": "^9.4.0", - "astro": "^5.12.9" + "@astrojs/node": "^9.4.1", + "astro": "^5.13.0" } }
examples/integration/package.json+1 −1 modified@@ -15,7 +15,7 @@ ], "scripts": {}, "devDependencies": { - "astro": "^5.12.9" + "astro": "^5.13.0" }, "peerDependencies": { "astro": "^4.0.0"
examples/minimal/package.json+1 −1 modified@@ -10,6 +10,6 @@ "astro": "astro" }, "dependencies": { - "astro": "^5.12.9" + "astro": "^5.13.0" } }
examples/portfolio/package.json+1 −1 modified@@ -10,6 +10,6 @@ "astro": "astro" }, "dependencies": { - "astro": "^5.12.9" + "astro": "^5.13.0" } }
examples/ssr/package.json+2 −2 modified@@ -11,9 +11,9 @@ "server": "node dist/server/entry.mjs" }, "dependencies": { - "@astrojs/node": "^9.4.0", + "@astrojs/node": "^9.4.1", "@astrojs/svelte": "^7.1.0", - "astro": "^5.12.9", + "astro": "^5.13.0", "svelte": "^5.25.7" } }
examples/starlog/package.json+1 −1 modified@@ -9,7 +9,7 @@ "astro": "astro" }, "dependencies": { - "astro": "^5.12.9", + "astro": "^5.13.0", "sass": "^1.86.3", "sharp": "^0.33.3" }
examples/toolbar-app/package.json+1 −1 modified@@ -16,6 +16,6 @@ }, "devDependencies": { "@types/node": "^18.17.8", - "astro": "^5.12.9" + "astro": "^5.13.0" } }
examples/with-markdoc/package.json+1 −1 modified@@ -11,6 +11,6 @@ }, "dependencies": { "@astrojs/markdoc": "^0.15.4", - "astro": "^5.12.9" + "astro": "^5.13.0" } }
examples/with-mdx/package.json+1 −1 modified@@ -12,7 +12,7 @@ "dependencies": { "@astrojs/mdx": "^4.3.3", "@astrojs/preact": "^4.1.0", - "astro": "^5.12.9", + "astro": "^5.13.0", "preact": "^10.26.5" } }
examples/with-nanostores/package.json+1 −1 modified@@ -12,7 +12,7 @@ "dependencies": { "@astrojs/preact": "^4.1.0", "@nanostores/preact": "^0.5.2", - "astro": "^5.12.9", + "astro": "^5.13.0", "nanostores": "^0.11.4", "preact": "^10.26.5" }
examples/with-tailwindcss/package.json+1 −1 modified@@ -13,7 +13,7 @@ "@astrojs/mdx": "^4.3.3", "@tailwindcss/vite": "^4.1.3", "@types/canvas-confetti": "^1.9.0", - "astro": "^5.12.9", + "astro": "^5.13.0", "canvas-confetti": "^1.9.3", "tailwindcss": "^4.1.3" }
examples/with-vitest/package.json+1 −1 modified@@ -11,7 +11,7 @@ "test": "vitest" }, "dependencies": { - "astro": "^5.12.9", + "astro": "^5.13.0", "vitest": "^3.1.1" } }
packages/astro/CHANGELOG.md+93 −0 modified@@ -1,5 +1,98 @@ # astro +## 5.13.0 + +### Minor Changes + +- [#14173](https://github.com/withastro/astro/pull/14173) [`39911b8`](https://github.com/withastro/astro/commit/39911b823d4617d99cc95e4b7584e9e4b7b90038) Thanks [@florian-lefebvre](https://github.com/florian-lefebvre)! - Adds an experimental flag `staticImportMetaEnv` to disable the replacement of `import.meta.env` values with `process.env` calls and their coercion of environment variable values. This supersedes the `rawEnvValues` experimental flag, which is now removed. + + Astro allows you to configure a [type-safe schema for your environment variables](https://docs.astro.build/en/guides/environment-variables/#type-safe-environment-variables), and converts variables imported via `astro:env` into the expected type. This is the recommended way to use environment variables in Astro, as it allows you to easily see and manage whether your variables are public or secret, available on the client or only on the server at build time, and the data type of your values. + + However, you can still access environment variables through `process.env` and `import.meta.env` directly when needed. This was the only way to use environment variables in Astro before `astro:env` was added in Astro 5.0, and Astro's default handling of `import.meta.env` includes some logic that was only needed for earlier versions of Astro. + + The `experimental.staticImportMetaEnv` flag updates the behavior of `import.meta.env` to align with [Vite's handling of environment variables](https://vite.dev/guide/env-and-mode.html#env-variables) and for better ease of use with Astro's current implementations and features. **This will become the default behavior in Astro 6.0**, and this early preview is introduced as an experimental feature. + + Currently, non-public `import.meta.env` environment variables are replaced by a reference to `process.env`. Additionally, Astro may also convert the value type of your environment variables used through `import.meta.env`, which can prevent access to some values such as the strings `"true"` (which is converted to a boolean value), and `"1"` (which is converted to a number). + + The `experimental.staticImportMetaEnv` flag simplifies Astro's default behavior, making it easier to understand and use. Astro will no longer replace any `import.meta.env` environment variables with a `process.env` call, nor will it coerce values. + + To enable this feature, add the experimental flag in your Astro config and remove `rawEnvValues` if it was enabled: + + ```diff + // astro.config.mjs + import { defineConfig } from "astro/config"; + + export default defineConfig({ + + experimental: { + + staticImportMetaEnv: true + - rawEnvValues: false + + } + }); + ``` + + #### Updating your project + + If you were relying on Astro's default coercion, you may need to update your project code to apply it manually: + + ```diff + // src/components/MyComponent.astro + - const enabled: boolean = import.meta.env.ENABLED; + + const enabled: boolean = import.meta.env.ENABLED === "true"; + ``` + + If you were relying on the transformation into `process.env` calls, you may need to update your project code to apply it manually: + + ```diff + // src/components/MyComponent.astro + - const enabled: boolean = import.meta.env.DB_PASSWORD; + + const enabled: boolean = process.env.DB_PASSWORD; + ``` + + You may also need to update types: + + ```diff + // src/env.d.ts + interface ImportMetaEnv { + readonly PUBLIC_POKEAPI: string; + - readonly DB_PASSWORD: string; + - readonly ENABLED: boolean; + + readonly ENABLED: string; + } + + interface ImportMeta { + readonly env: ImportMetaEnv; + } + + + namespace NodeJS { + + interface ProcessEnv { + + DB_PASSWORD: string; + + } + + } + ``` + + See the [experimental static `import.meta.env` documentation](https://docs.astro.build/en/reference/experimental-flags/static-import-meta-env/) for more information about this feature. You can learn more about using environment variables in Astro, including `astro:env`, in the [environment variables documentation](https://docs.astro.build/en/guides/environment-variables/). + +- [#14122](https://github.com/withastro/astro/pull/14122) [`41ed3ac`](https://github.com/withastro/astro/commit/41ed3ac54adf1025a38031757ee0bfaef8504092) Thanks [@ascorbic](https://github.com/ascorbic)! - Adds experimental support for automatic [Chrome DevTools workspace folders](https://developer.chrome.com/docs/devtools/workspaces) + + This feature allows you to edit files directly in the browser and have those changes reflected in your local file system via a connected workspace folder. This allows you to apply edits such as CSS tweaks without leaving your browser tab! + + With this feature enabled, the Astro dev server will automatically configure a Chrome DevTools workspace for your project. Your project will then appear as a workspace source, ready to connect. Then, changes that you make in the "Sources" panel are automatically saved to your project source code. + + To enable this feature, add the experimental flag `chromeDevtoolsWorkspace` to your Astro config: + + ```js + // astro.config.mjs + import { defineConfig } from 'astro/config'; + + export default defineConfig({ + experimental: { + chromeDevtoolsWorkspace: true, + }, + }); + ``` + + See the [experimental Chrome DevTools workspace feature documentation](https://docs.astro.build/en/reference/experimental-flags/chrome-devtools-workspace/) for more information. + ## 5.12.9 ### Patch Changes
packages/astro/package.json+1 −1 modified@@ -1,6 +1,6 @@ { "name": "astro", - "version": "5.12.9", + "version": "5.13.0", "description": "Astro is a modern site builder with web best practices, performance, and DX front-of-mind.", "type": "module", "author": "withastro",
packages/integrations/node/CHANGELOG.md+6 −0 modified@@ -1,5 +1,11 @@ # @astrojs/node +## 9.4.1 + +### Patch Changes + +- [`5fc3c59`](https://github.com/withastro/astro/commit/5fc3c599cacb0172cc7d8e1202a5f2e8685d7ef2) Thanks [@ematipico](https://github.com/ematipico)! - Fixes a routing bug in standalone mode with `trailingSlash` set to `"always"`. + ## 9.4.0 ### Minor Changes
packages/integrations/node/package.json+1 −1 modified@@ -1,7 +1,7 @@ { "name": "@astrojs/node", "description": "Deploy your site to a Node.js server", - "version": "9.4.0", + "version": "9.4.1", "type": "module", "types": "./dist/index.d.ts", "author": "withastro",
packages/integrations/sitemap/CHANGELOG.md+31 −0 modified@@ -1,5 +1,36 @@ # @astrojs/sitemap +## 3.5.0 + +### Minor Changes + +- [#13682](https://github.com/withastro/astro/pull/13682) [`5824b32`](https://github.com/withastro/astro/commit/5824b32c5cc5d58c1138e408a05d1be18924c711) Thanks [@gouravkhunger](https://github.com/gouravkhunger)! - Adds a `customSitemaps` option to include extra sitemaps in the `sitemap-index.xml` file generated by Astro. + + This is useful for multi-framework setups on the same domain as your Astro site (`example.com`), such as a blog at `example.com/blog` whose sitemap is generated by another framework. + + The following example shows configuring your Astro site to include sitemaps for an externally-generated blog and help center along with the generated sitemap entries in `sitemap-index.xml`: + + Example: + + ```js + import { defineConfig } from 'astro/config'; + import sitemap from '@astrojs/sitemap'; + + export default defineConfig({ + site: 'https://example.com', + integrations: [ + sitemap({ + customSitemaps: [ + 'https://example.com/blog/sitemap.xml', + 'https://example.com/helpcenter/sitemap.xml', + ], + }), + ], + }); + ``` + + Learn more in the [`@astrojs/sitemap` configuration documentation](https://docs.astro.build/en/guides/integrations-guide/sitemap/#configuration). + ## 3.4.2 ### Patch Changes
packages/integrations/sitemap/package.json+1 −1 modified@@ -1,7 +1,7 @@ { "name": "@astrojs/sitemap", "description": "Generate a sitemap for your Astro site", - "version": "3.4.2", + "version": "3.5.0", "type": "module", "types": "./dist/index.d.ts", "author": "withastro",
pnpm-lock.yaml+26 −26 modified@@ -145,7 +145,7 @@ importers: examples/basics: dependencies: astro: - specifier: ^5.12.9 + specifier: ^5.13.0 version: link:../../packages/astro examples/blog: @@ -157,10 +157,10 @@ importers: specifier: ^4.0.12 version: link:../../packages/astro-rss '@astrojs/sitemap': - specifier: ^3.4.2 + specifier: ^3.5.0 version: link:../../packages/integrations/sitemap astro: - specifier: ^5.12.9 + specifier: ^5.13.0 version: link:../../packages/astro sharp: specifier: ^0.34.2 @@ -169,7 +169,7 @@ importers: examples/component: devDependencies: astro: - specifier: ^5.12.9 + specifier: ^5.13.0 version: link:../../packages/astro examples/container-with-vitest: @@ -178,7 +178,7 @@ importers: specifier: ^4.3.0 version: link:../../packages/integrations/react astro: - specifier: ^5.12.9 + specifier: ^5.13.0 version: link:../../packages/astro react: specifier: ^18.3.1 @@ -209,7 +209,7 @@ importers: specifier: ^3.14.9 version: 3.14.9 astro: - specifier: ^5.12.9 + specifier: ^5.13.0 version: link:../../packages/astro examples/framework-multiple: @@ -236,7 +236,7 @@ importers: specifier: ^18.3.6 version: 18.3.7(@types/react@18.3.23) astro: - specifier: ^5.12.9 + specifier: ^5.13.0 version: link:../../packages/astro preact: specifier: ^10.26.5 @@ -266,7 +266,7 @@ importers: specifier: ^2.0.3 version: 2.2.1(preact@10.27.0) astro: - specifier: ^5.12.9 + specifier: ^5.13.0 version: link:../../packages/astro preact: specifier: ^10.26.5 @@ -284,7 +284,7 @@ importers: specifier: ^18.3.6 version: 18.3.7(@types/react@18.3.23) astro: - specifier: ^5.12.9 + specifier: ^5.13.0 version: link:../../packages/astro react: specifier: ^18.3.1 @@ -299,7 +299,7 @@ importers: specifier: ^5.1.0 version: link:../../packages/integrations/solid astro: - specifier: ^5.12.9 + specifier: ^5.13.0 version: link:../../packages/astro solid-js: specifier: ^1.9.5 @@ -311,7 +311,7 @@ importers: specifier: ^7.1.0 version: link:../../packages/integrations/svelte astro: - specifier: ^5.12.9 + specifier: ^5.13.0 version: link:../../packages/astro svelte: specifier: ^5.25.7 @@ -323,7 +323,7 @@ importers: specifier: ^5.1.0 version: link:../../packages/integrations/vue astro: - specifier: ^5.12.9 + specifier: ^5.13.0 version: link:../../packages/astro vue: specifier: ^3.5.13 @@ -332,40 +332,40 @@ importers: examples/hackernews: dependencies: '@astrojs/node': - specifier: ^9.4.0 + specifier: ^9.4.1 version: link:../../packages/integrations/node astro: - specifier: ^5.12.9 + specifier: ^5.13.0 version: link:../../packages/astro examples/integration: devDependencies: astro: - specifier: ^5.12.9 + specifier: ^5.13.0 version: link:../../packages/astro examples/minimal: dependencies: astro: - specifier: ^5.12.9 + specifier: ^5.13.0 version: link:../../packages/astro examples/portfolio: dependencies: astro: - specifier: ^5.12.9 + specifier: ^5.13.0 version: link:../../packages/astro examples/ssr: dependencies: '@astrojs/node': - specifier: ^9.4.0 + specifier: ^9.4.1 version: link:../../packages/integrations/node '@astrojs/svelte': specifier: ^7.1.0 version: link:../../packages/integrations/svelte astro: - specifier: ^5.12.9 + specifier: ^5.13.0 version: link:../../packages/astro svelte: specifier: ^5.25.7 @@ -374,7 +374,7 @@ importers: examples/starlog: dependencies: astro: - specifier: ^5.12.9 + specifier: ^5.13.0 version: link:../../packages/astro sass: specifier: ^1.86.3 @@ -389,7 +389,7 @@ importers: specifier: ^18.17.8 version: 18.19.50 astro: - specifier: ^5.12.9 + specifier: ^5.13.0 version: link:../../packages/astro examples/with-markdoc: @@ -398,7 +398,7 @@ importers: specifier: ^0.15.4 version: link:../../packages/integrations/markdoc astro: - specifier: ^5.12.9 + specifier: ^5.13.0 version: link:../../packages/astro examples/with-mdx: @@ -410,7 +410,7 @@ importers: specifier: ^4.1.0 version: link:../../packages/integrations/preact astro: - specifier: ^5.12.9 + specifier: ^5.13.0 version: link:../../packages/astro preact: specifier: ^10.26.5 @@ -425,7 +425,7 @@ importers: specifier: ^0.5.2 version: 0.5.2(nanostores@0.11.4)(preact@10.27.0) astro: - specifier: ^5.12.9 + specifier: ^5.13.0 version: link:../../packages/astro nanostores: specifier: ^0.11.4 @@ -446,7 +446,7 @@ importers: specifier: ^1.9.0 version: 1.9.0 astro: - specifier: ^5.12.9 + specifier: ^5.13.0 version: link:../../packages/astro canvas-confetti: specifier: ^1.9.3 @@ -458,7 +458,7 @@ importers: examples/with-vitest: dependencies: astro: - specifier: ^5.12.9 + specifier: ^5.13.0 version: link:../../packages/astro vitest: specifier: ^3.1.1
5fc3c599cacbMerge commit from fork
3 files changed · +45 −2
.changeset/lemon-wombats-bathe.md+5 −0 added@@ -0,0 +1,5 @@ +--- +'@astrojs/node': patch +--- + +Fixes a routing bug in standalone mode with `trailingSlash` set to `"always"`.
packages/integrations/node/src/serve-static.ts+4 −2 modified@@ -2,7 +2,7 @@ import fs from 'node:fs'; import type { IncomingMessage, ServerResponse } from 'node:http'; import path from 'node:path'; import url from 'node:url'; -import { hasFileExtension } from '@astrojs/internal-helpers/path'; +import { hasFileExtension, isInternalPath } from '@astrojs/internal-helpers/path'; import type { NodeApp } from 'astro/app/node'; import send from 'send'; import type { Options } from './types.js'; @@ -66,7 +66,9 @@ export function createStaticHandler(app: NodeApp, options: Options) { } case 'always': { // trailing slash is not added to "subresources" - if (!hasSlash && !hasFileExtension(urlPath)) { + // We check if `urlPath` doesn't contain possible internal paths. This should prevent + // redirects to unwanted paths + if (!hasSlash && !hasFileExtension(urlPath) && !isInternalPath(urlPath)) { pathname = urlPath + '/' + (urlQuery ? '?' + urlQuery : ''); res.statusCode = 301; res.setHeader('Location', pathname);
packages/integrations/node/test/trailing-slash.test.js+36 −0 modified@@ -92,6 +92,7 @@ describe('Trailing slash', () => { assert.equal(res.status, 200); }); + }); describe('Without base', async () => { before(async () => { @@ -174,6 +175,41 @@ describe('Trailing slash', () => { assert.equal(res.status, 200); }); }); + + + describe("Without automatic output", () => { + before(async () => { + process.env.ASTRO_NODE_AUTOSTART = 'disabled'; + + fixture = await loadFixture({ + root: './fixtures/trailing-slash/', + trailingSlash: 'always', + adapter: nodejs({ mode: 'standalone' }), + }); + await fixture.build(); + const { startServer } = await fixture.loadAdapterEntryModule(); + const res = startServer(); + server = res.server; + await waitServerListen(server.server); + }); + + after(async () => { + await server.stop(); + await fixture.clean(); + + }); + + it("Should return 404 when trying to serve a page with an internal path added to the URL", async () => { + let res = await fetch(`http://${server.host}:${server.port}//astro.build/press`); + assert.equal(res.status, 404); + res = await fetch(`http://${server.host}:${server.port}/foo//astro.build/press`); + assert.equal(res.status, 404); + res = await fetch(`http://${server.host}:${server.port}//example.com/es//astro.build`); + assert.equal(res.status, 404); + res = await fetch(`http://${server.host}:${server.port}//example.com/es//astro.build/press`); + assert.equal(res.status, 404); + }) + }) }); describe('Never', async () => { describe('With base', async () => {
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4News mentions
0No linked articles in our index yet.